Blog

Wondering if you are still vulnerable to Log4j?

Written by Kannan Udayarajan | Jan 24, 2022 2:36:00 PM

According to the experts, around 3 billion applications, consumer and enterprise services and websites got affected by the Log4J vulnerabilities.

  •  

    What is Log4j?

    Log4j is an open-source logging library developed in Java by Apache Software Foundation. It is widely used by hugely popular applications like iCloud, Steam and Minecraft, along with millions of other applications; so the probable breakout of this issue is astronomical.

    What is Log4shell?

    On Dec 9th 21, a 0-day exploit was discovered in the popular Java logging library log4j (v2) which leads to Remote Code Execution (RCE) by logging a certain string. It has now been published as CVE-2021–44228, CVE-2021-45105, CVE-2021-45046 This vulnerability is popularly known as “Log4Shell vulnerability”

     

    Affected Versions

    Log4j Version:
     Versions starting at 2.0-beta9 all the way up to 2.16.0 are affected by this vulnerability.
     
    JVM Version - If lower than:
    • Java 6 - 6u212

    • Java 7 - 7u202

    • Java 8 - 11.0.2

    If your Log4j version is older than 2.16.0 and your Java version follows suite with patch level older than the listed above, you most certainly fall under the vulnerable category. Currently, your internet-facing infrastructure may have already been compromised as hackers are actively exploiting this vulnerability.

    How bad is Log4Shell?

    The simple answer is “very bad”! The Log4Shell vulnerability was first spotted in Minecraft where Microsoft rolled out an emergency patch to quickly fix this issue. TechCrunch also reported that big names like Apple, Amazon, Twitter, and Cloudflare are also vulnerable to Log4Shell attacks. As per TechCrunch, “The Computer Emergency Response Team (CERT) for New Zealand, Deutsche Telekom’s CERT, and the Greynoise web monitoring service have all warned that attackers are actively looking for servers vulnerable to Log4Shell attacks. According to the latter, around 100 distinct hosts are scanning the internet for ways to exploit the Log4j vulnerability.”

    Who is Impacted?

    With Log4j being a Java-based library, there is a high chance that billions of devices are vulnerable to this exploit. Big name companies and services like Cisco, Steam, VMWare, Apple iCloud, Minecraft, Tesla and others have already been found to be vulnerable.

    Everybody that uses Apache framework’s services or any Spring-Boot Java-based framework applications using log4j2 is also likely to be at risk of this vulnerability.

     
     
     
     
     

    image: Flaticon.com


     
     
     
     

    image: Flaticon.com

     
     
     

    Injection point for attackers

    Attackers can detect this vulnerability by simply inserting their payload as “${jndi:ldap://xyz.burpcollaborator.net/a}” in some parameters, User-Agent, Referrer, Search bar, and different input fields. If attackers are getting a DNS interaction with your collaborator then it may be vulnerable.

    Remediating the Log4Shell vulnerability

    Temporary Mitigation

    Adding "log4j.format.msg.nolookups=true" to the global configuration of your server or your web applications.

    Permanent Mitigation:

    The straightforward way of remediation is updating the Log4j library to version 2.17.0 or later, since this behavior by default will be disabled.

    Want to learn more?

    Stay tuned for more information and updates on this blog.